Weekly Cybersecurity Roundup: Jan 13, 2025 — Jan 19, 2025

Critical Aviatrix Controller Vulnerability Exploited Against Cloud Environments

A critical security vulnerability identified as CVE-2024–50603 has been discovered in Aviatrix Controller, a widely used cloud networking platform. This vulnerability allows unauthenticated remote code execution, posing significant risks to cloud environments. Notably, threat actors have been actively exploiting this flaw to deploy cryptocurrency miners and establish backdoors in compromised systems.

Key Details:

• Vulnerability Overview: CVE-2024–50603 has been assigned a CVSS score of 9.9 (Critical). It enables unauthenticated users to execute arbitrary commands on Aviatrix Controllers, leading to potential full system compromise.
• Exploitation in the Wild: Security researchers from Wiz have reported multiple incidents where attackers leveraged this vulnerability to deploy the XMRig cryptocurrency miner and the Sliver command-and-control framework, indicating sophisticated intrusion attempts.
• Affected Deployments: Instances of Aviatrix Controller, especially those deployed in Amazon Web Services (AWS) environments, are at heightened risk due to default privilege escalation settings.

Sources: Aviatrix Documentation, Wiz, The Hacker News

Microsoft 365 apps crash on Windows Server after Office update

Microsoft has identified and resolved a critical issue causing Microsoft 365 applications, including Classic Outlook, to crash on Windows Server 2016 and Windows Server 2019 systems. The problem emerged after users updated to Version 2412 (Build 18324.20168) or Version 2412 (Build 18324.20190) of these applications.

Issue Details:

• Affected Versions: Microsoft 365 applications updated to Version 2412 (Build 18324.20168) or Version 2412 (Build 18324.20190).
• Symptoms: Applications such as Word, Excel, Outlook, and PowerPoint would crash approximately 15 seconds after launch.
• Root Cause: The crashes were linked to an Office update that integrated the React Native framework to support certain features in Microsoft 365 apps.

Resolution:

Microsoft has released an update to address this issue in Version 2412 (Build 18324.20194). Users with automatic updates enabled should receive this fix without intervention. For those managing updates manually, it’s recommended to download and deploy the latest update promptly.

Workaround:

If immediate updating isn’t feasible, users can revert to the previous stable version (Version 2411, Build 18227.20152) by following these steps:

1. Open Command Prompt with administrative privileges.
2. Execute the following commands:

cd %programfiles%\Common Files\Microsoft Shared\ClickToRun 

officec2rclient.exe /update user updatetoversion=16.0.18227.20152

3. To prevent automatic re-updating, disable updates by navigating to File > Office Account > Update Options > Disable Updates. Remember to re-enable updates after February 11th to ensure future patches are applied.

Sources: Microsoft, Bleeping Computer

Fortinet Warns of New Zero-Day Used in Attacks on Firewalls with Exposed Interfaces

Fortinet has disclosed a critical zero-day vulnerability, CVE-2024–55591, affecting FortiOS and FortiProxy. This authentication bypass flaw allows unauthenticated attackers to gain super-admin privileges via crafted requests to the Node.js WebSocket module. The vulnerability has been actively exploited in the wild, with attackers creating new admin and local user accounts, modifying firewall policies, and altering configurations.

Affected Versions:

• FortiOS: 7.0.0 through 7.0.16 (fixed in 7.0.17 or above)
• FortiProxy:7.0.0 through 7.0.19 (fixed in 7.0.20 or above), 7.2.0 through 7.2.12 (fixed in 7.2.13 or above)

Other versions of FortiOS (6.4, 7.2, 7.4, 7.6) and FortiProxy (2.0, 7.4, 7.6) are not affected.

Source: Rapid7

OneBlood confirms personal data stolen in July ransomware attack

In July 2024, OneBlood, a nonprofit blood donation organization serving over 250 hospitals across the southeastern United States, experienced a significant ransomware attack. The incident led to the encryption of their virtual machines, compelling the organization to revert to manual processes for blood collection, testing, and distribution. This operational disruption prompted hospitals to activate critical blood shortage protocols.

Following a comprehensive investigation concluded in December 2024, OneBlood confirmed that between July 14 and July 29, 2024, unauthorized parties accessed and exfiltrated files containing personal information, including names and Social Security numbers of donors. The organization began notifying affected individuals in January 2025, offering complimentary credit monitoring and identity theft protection services for 12 months.

OneBlood has since reported the data breach to state regulators, including those in Maine, Vermont, and Massachusetts. While the total number of affected individuals remains undisclosed, the organization specified that 281 residents in Maine were impacted.

In response to the attack, OneBlood has implemented enhanced security measures to safeguard against future incidents and continues to collaborate with law enforcement agencies during the ongoing investigation.

Sources: Bleeping Computer, The Record, The HIPAA Journal

Docker Desktop blocked on Macs due to false malware alert

In early January 2025, macOS users encountered issues launching Docker Desktop due to a false malware alert stating, “com.docker.vmnetd was not opened because it contains malware.”

Cause of the Issue:

The false alert resulted from incorrect code-signing signatures on certain Docker Desktop files, leading macOS security features to misidentify them as malicious.

Affected Versions:

- Docker Desktop versions 4.32 to 4.36 are impacted.

- Versions 4.28 and earlier are unaffected.

Resolution:

Docker has released version 4.37.2 to address this issue. Users should update to this version through the application. For those unable to bypass the malware warning, Docker provides detailed instructions on their official documentation page.

Workaround:

If updating is not immediately possible, users can follow a workaround to resolve the issue. This involves stopping Docker processes, reinstalling binaries, and ensuring the system correctly recognizes Docker’s components. A step-by-step guide is available to assist users through this process.

Official Statement:

Docker has acknowledged the problem, stating, “We want to inform you about a new issue affecting Docker Desktop for some macOS users. This causes Docker Desktop to not start. Some users may also have received malware warnings. Those warnings are inaccurate.”

Users are advised to update Docker Desktop promptly to ensure continued functionality and to prevent future issues.

Sources: Bleeping Computer, Techradar

Phishing texts trick Apple iMessage users into disabling protection

Cybercriminals have developed a new phishing tactic targeting Apple iMessage users, aiming to disable the platform’s built-in phishing protection. This protection automatically disables links in messages received from unknown senders. However, attackers are now sending deceptive messages prompting users to reply with “Y” or similar responses. Responding to these messages re-enables the links, thereby exposing users to potential scams and malicious websites.

How the Scam Works:

1. Initial Message: Users receive a phishing text from an unknown sender, often impersonating legitimate organizations like postal services or toll agencies. These messages claim issues such as delivery problems or unpaid tolls.

2. Prompt to Reply: The message instructs the recipient to reply with “Y” or another specific response to proceed.

3. Disabling Protection: Replying to the message causes iMessage to recognize the sender as known, re-enabling disabled links.

4. Malicious Links Activated: Once links are active, users may be enticed to click, leading to phishing sites designed to steal personal and financial information.

Protective Measures:

- Avoid Responding: Do not reply to messages from unknown senders, especially those requesting confirmation or actions.

- Verify Legitimacy: Independently contact the organization purportedly sending the message using official channels to confirm its authenticity.

- Enable “Filter Unknown Senders”: Activate this feature in iMessage to separate messages from unknown contacts, reducing the risk of interacting with potential scams.

- Report Suspicious Messages: For phishing messages appearing to come from Apple, take a screenshot and email it to reportphishing@apple.com.

By remaining vigilant and following these precautions, users can better protect themselves from phishing attacks that exploit iMessage’s security features.

Sources: Bleeping Computer, csa.gov

New UEFI Secure Boot Vulnerability Could Allow Attackers to Load Malicious Bootkits

A critical vulnerability identified as CVE-2024–7344 has been discovered, affecting the Unified Extensible Firmware Interface (UEFI) Secure Boot mechanism. This flaw permits attackers to bypass Secure Boot protections, enabling the execution of untrusted code during the system’s boot process and facilitating the deployment of persistent and stealthy bootkits.

Key Details:

• Vulnerability Overview: CVE-2024–7344 allows malicious actors to execute unsigned code during system startup, effectively compromising the Secure Boot process. This breach can lead to the installation of bootkits that persist across system reboots and remain hidden from standard security measures.
• Affected Systems: The vulnerability impacts a wide range of UEFI-based systems, particularly those with Microsoft’s third-party UEFI signing enabled. Notably, Windows 11 Secured-core PCs typically have this option disabled by default, offering them protection against this specific exploit.
• Exploitation Method: Attackers can leverage this flaw by exploiting a Microsoft-signed UEFI application, which permits the execution of untrusted code during the boot sequence, thereby bypassing Secure Boot safeguards.

Mitigation Measures:

• Firmware Updates: System and motherboard manufacturers are releasing firmware patches to address CVE-2024–7344. Users should promptly apply these updates to secure their systems against potential attacks.
• Microsoft’s Response: Microsoft has initiated the revocation of vulnerable UEFI modules and is collaborating with hardware vendors to distribute necessary patches. Users are advised to install the latest Windows updates to ensure comprehensive protection.

Recommendations:

• Stay Informed: Regularly check for updates from your system’s manufacturer and apply them as soon as they become available.
• Review Security Settings: Ensure that Secure Boot is enabled and properly configured in your system’s BIOS or UEFI settings.
• Monitor Official Channels: Keep an eye on official communications from Microsoft and other relevant entities for further guidance and updates regarding this vulnerability.

By staying vigilant and proactive, users can mitigate the risks associated with CVE-2024–7344 and maintain the integrity of their systems.

Sources: welivesecurity

Over 660,000 Rsync servers exposed to code execution attacks

A recent security assessment has revealed that over 660,000 Rsync servers are exposed to potential code execution attacks due to multiple vulnerabilities, notably a critical heap-buffer overflow flaw identified as CVE-2024–12084.

Key Vulnerabilities:

1. Heap Buffer Overflow (CVE-2024–12084): This critical flaw arises from improper handling of checksum lengths in the Rsync daemon, leading to out-of-bounds writes in the buffer. Exploitation can result in arbitrary code execution.

2. Information Leak via Uninitialized Stack (CVE-2024–12085): This vulnerability allows leakage of uninitialized stack data during file checksum comparisons, potentially exposing sensitive information.

3. Server Leaks Arbitrary Client Files (CVE-2024–12086): A malicious server can enumerate and reconstruct arbitrary client files byte-by-byte using manipulated checksum values during file transfer.

4. Path Traversal via — inc-recursive Option (CVE-2024–12087): Inadequate symlink verification when using the — inc-recursive option allows malicious servers to write files outside intended directories on the client.

5. Bypass of — safe-links Option (CVE-2024–12088): Rsync fails to properly verify symbolic link destinations containing other links, resulting in path traversal and arbitrary file writes outside designated directories.

6. Symbolic Link Race Condition (CVE-2024–12747): A race condition in handling symbolic links may allow attackers to access sensitive files and escalate privileges.

Impact:

Successful exploitation of these vulnerabilities could allow attackers to execute arbitrary code, leak sensitive information, or perform unauthorized file operations on affected systems. The CERT Coordination Center (CERT/CC) has identified several Linux distributions as impacted, including Red Hat, Arch, Gentoo, Ubuntu, NixOS, AlmaLinux OS Foundation, and the Triton Data Center.

Recommendations:

- Update Rsync: Users are strongly advised to upgrade to Rsync version 3.4.0 or later, which addresses these vulnerabilities.

- Restrict Access: Configure Rsync daemons to require authentication and limit access to trusted clients.

- Monitor and Audit: Regularly review server configurations and access logs for any unauthorized activities.

By promptly applying these updates and following best practices, administrators can mitigate the risks associated with these vulnerabilities.

Sources: cisecurity

Ransomware abuses Amazon AWS feature to encrypt S3 buckets

A recent ransomware campaign orchestrated by the threat actor known as “Codefinger” has been targeting Amazon Web Services (AWS) Simple Storage Service (S3) buckets. The attackers exploit compromised AWS credentials to encrypt data stored in S3 buckets using AWS’s own Server-Side Encryption with Customer-Provided Keys (SSE-C) feature. This method renders the data inaccessible without the decryption key, which is held by the attackers, effectively locking out the legitimate owners from their own data.

Attack Methodology:

1. Credential Compromise: The attackers first obtain valid AWS credentials, which may occur through phishing, credential stuffing, or other unauthorized access methods.
2. Identifying Vulnerable Buckets: Using the compromised credentials, the attackers search for S3 buckets with ‘s3:GetObject’ and ‘s3:PutObject’ permissions, allowing them to read and write objects within the buckets.
3. Encrypting Data: The attackers then utilize the SSE-C feature to re-encrypt the existing data in the S3 buckets. They generate their own encryption keys and apply them to the data, effectively locking out the legitimate users. Since AWS does not store customer-provided keys, recovery without the attacker’s key is impossible.
4. Demanding Ransom: After encrypting the data, the attackers leave ransom notes within the affected directories, instructing victims to pay a specified amount, often in cryptocurrency, to receive the decryption key.

Preventive Measures:

• Restrict SSE-C Usage: Implement Identity and Access Management (IAM) policies that prevent or limit the use of SSE-C, especially if it is not required for your operations. This reduces the risk of unauthorized encryption of your data.
• Regular Credential Audits: Regularly audit and rotate AWS credentials to minimize the risk of compromised access. Implement multi-factor authentication (MFA) to add an extra layer of security.
• Monitor Access Patterns: Utilize AWS CloudTrail and other monitoring tools to detect unusual access patterns or activities within your S3 buckets. Promptly investigate any anomalies to prevent potential attacks.
• Data Backup and Recovery Plans: Maintain regular backups of your data and have a robust disaster recovery plan in place. This ensures that you can restore your data without yielding to ransom demands.

By adopting these security best practices, organizations can significantly reduce the risk of falling victim to such ransomware attacks and protect their critical data stored in AWS S3 buckets.

Sources: Bleeping Computer, aws.amazon

WordPress Skimmers Evade Detection by Injecting Themselves into Database Tables

A recent cybersecurity analysis has uncovered a sophisticated credit card skimmer targeting WordPress e-commerce websites. This malware injects malicious JavaScript directly into the WordPress database, specifically within the wp_options table under the widget_block entry. By embedding itself in the database rather than in theme files or plugins, the skimmer evades detection by traditional file-based security scans.

How the Skimmer Operates:

- Activation: The malicious script activates on checkout pages by detecting the presence of “checkout” in the URL, ensuring it operates only when users are entering payment information.

- Data Capture: It dynamically generates a counterfeit payment form resembling legitimate processors like Stripe or captures data entered into existing payment fields in real-time.

- Data Exfiltration: The captured payment details, including credit card numbers, expiration dates, CVV codes, and billing information, are obfuscated using Base64 encoding and AES-CBC encryption. The encrypted data is then transmitted to attacker-controlled servers via the navigator.sendBeacon function, which allows data to be sent without disrupting the user's browsing experience.

Implications:

This stealthy approach enables attackers to harvest sensitive payment information from unsuspecting customers, potentially leading to fraudulent transactions and significant financial losses for both consumers and businesses.

Recommendations:

- Regular Updates: Ensure that WordPress installations, themes, and plugins are up to date to mitigate known vulnerabilities.

- File Integrity Monitoring: Implement monitoring tools to detect unauthorized changes to website files.

- Admin Account Management: Use strong, unique passwords for admin accounts and consider enabling two-factor authentication to enhance security.

- Web Application Firewall (WAF): Deploy a WAF to filter out malicious traffic and provide an additional layer of protection against such attacks.

By adopting these measures, website administrators can bolster their defenses against this and similar threats, safeguarding both their operations and their customers’ sensitive information.

Sources: TheHackerNews, blog.sucuri

Ivanti Patches Critical Vulnerabilities in Endpoint Manager

Ivanti has recently addressed multiple critical and high-severity vulnerabilities in its Endpoint Manager (EPM) software, which is widely used for unified endpoint management. The most severe of these are four absolute path traversal flaws, tracked as CVE-2024–10811, CVE-2024–13161, CVE-2024–13160, and CVE-2024–13159, each with a CVSS score of 9.8. These vulnerabilities could allow remote, unauthenticated attackers to leak sensitive information.

Affected Versions:

- EPM 2024 and 2022 SU6 versions with the November 2024 security update installed.

Other Resolved Vulnerabilities:

In addition to the critical flaws, Ivanti has patched 12 high-severity defects that could lead to remote code execution (RCE), denial-of-service (DoS), and privilege escalation. Notably, the DoS vulnerabilities and three of the RCE flaws could be exploited remotely without authentication.

Recommendations:

Organizations using Ivanti Endpoint Manager are strongly advised to apply the January 2025 security updates promptly to mitigate these vulnerabilities. Regularly updating software and monitoring for security advisories are essential practices to maintain system integrity and protect against potential exploits.

For detailed information and guidance on applying the updates, please refer to Ivanti’s official security advisory.

Sources: securityweek, forums.ivanti

OWASP’s New LLM Top 10 Shows Emerging AI Threats

The Open Worldwide Application Security Project (OWASP) has recently released its inaugural “Top 10 for Large Language Models (LLMs) and Generative AI,” highlighting critical security risks associated with AI technologies. This comprehensive list aims to guide developers, data scientists, and security professionals in identifying and mitigating vulnerabilities inherent in AI applications.

Key Highlights from the OWASP LLM Top 10:

1. Prompt Injection: This vulnerability allows attackers to manipulate AI model outputs by crafting specific inputs, potentially leading to unintended or malicious responses.
2. Data Poisoning: Attackers can compromise AI models by introducing malicious data during the training phase, resulting in models that produce incorrect or harmful outputs.
3. Model Inversion: This technique enables attackers to extract sensitive information from AI models, posing privacy risks.
4. Supply Chain Vulnerabilities: AI applications are susceptible to threats originating from third-party components, underscoring the need for robust supply chain security.
5. Adversarial Attacks: Subtle modifications to input data can deceive AI models into making incorrect decisions, posing significant security challenges.
6. Model Theft: Unauthorized replication of AI models can lead to intellectual property theft and misuse.
7. Denial of Service (DoS): AI systems can be overwhelmed by excessive requests, leading to service disruptions.
8. Bias and Fairness Issues: AI models may inadvertently perpetuate biases present in training data, resulting in unfair or discriminatory outcomes.
9. Lack of Explainability: The opaque nature of some AI models can hinder understanding and trust, complicating security assessments.
10. Resource Exhaustion: Attackers can exploit AI models to consume excessive computational resources, leading to performance degradation.

Implications for the Industry:

The release of this Top 10 list underscores the critical need for integrating security measures throughout the AI development lifecycle. As AI technologies become increasingly prevalent, addressing these vulnerabilities is essential to protect users and maintain trust in AI systems.

Sources: genai.owasp, darkreading

Google Ads Users Targeted in Malvertising Scam Stealing Credentials and 2FA Codes

A recent malvertising campaign has been identified, targeting Google Ads users by impersonating the Google Ads platform to steal credentials and two-factor authentication (2FA) codes. This sophisticated attack involves fraudulent ads that, when clicked, redirect users to phishing sites designed to capture sensitive information.

How the Attack Operates:

- Deceptive Ads: The attackers create fake Google Ads that appear legitimate, leading users to believe they are interacting with the official Google Ads platform.

- Phishing Sites: Clicking on these ads redirects users to fraudulent websites hosted on Google Sites, which then lead to external phishing sites.

- Credential and 2FA Capture: These phishing sites are designed to capture user credentials and 2FA codes via WebSocket connections, exfiltrating the data to remote servers controlled by the attackers.

Implications:

This attack allows cybercriminals to hijack Google Ads accounts, misuse advertising budgets, and propagate further phishing campaigns using compromised accounts.

Recommendations:

- Exercise Caution: Be vigilant when clicking on ads, especially those that appear when searching for services like Google Ads.

- Verify URLs: Ensure that the URLs you visit are legitimate and correspond to the official websites of the services you intend to use.

- Enable 2FA: Use two-factor authentication for added security on your accounts.

- Stay Informed: Regularly update your knowledge on current phishing tactics and malvertising schemes to better recognize and avoid them.

By staying vigilant and informed, users can better protect themselves against such sophisticated phishing attacks.

Sources: thehackernews

Python-Based Malware Powers RansomHub Ransomware to Exploit Network Flaws

A recent cybersecurity investigation has uncovered a sophisticated attack chain where a Python-based backdoor facilitates the deployment of RansomHub ransomware, exploiting network vulnerabilities to infiltrate and compromise systems.

Attack Sequence:

1. Initial Compromise via SocGholish Malware: The attack begins with the delivery of SocGholish (also known as FakeUpdates), a JavaScript malware distributed through deceptive drive-by download campaigns. These campaigns often involve compromised legitimate websites that redirect users to malicious sites via black hat SEO techniques. Upon execution, SocGholish establishes contact with an attacker-controlled server to retrieve secondary payloads.
2. Deployment of Python-Based Backdoor: Approximately 20 minutes after the initial infection, the threat actor deploys a Python-based backdoor. This backdoor functions as a reverse proxy, connecting to a hard-coded IP address and establishing a SOCKS5-based tunnel. This tunnel enables the attacker to move laterally within the compromised network, using the victim system as a proxy.
3. RansomHub Ransomware Deployment: Leveraging the established backdoor, the attacker deploys RansomHub ransomware across the network, encrypting data and demanding ransom for decryption.

Implications:

This attack chain highlights the critical need for robust endpoint security measures and vigilant monitoring of network traffic to detect and mitigate such sophisticated threats.

Recommendations:

• Implement Endpoint Detection and Response (EDR) Solutions: Deploy advanced EDR tools to monitor and respond to suspicious activities on endpoints.
• Regularly Update and Patch Systems: Ensure that all systems are up to date with the latest security patches to close known vulnerabilities.
• Conduct Security Awareness Training: Educate users about phishing tactics and the dangers of downloading software from untrusted sources.
• Monitor Network Traffic: Continuously monitor network traffic for unusual patterns that may indicate lateral movement or data exfiltration.

By adopting these measures, organizations can enhance their defenses against such multifaceted cyber threats.

Sources: thehackernews

Malicious PyPi package steals Discord auth tokens from devs

A malicious package named ‘pycord-self’ has been discovered on the Python Package Index (PyPI), specifically targeting Discord developers. This package masquerades as the legitimate ‘discord.py-self’ library, which facilitates communication with Discord’s user API, enabling developers to control accounts programmatically. The authentic ‘discord.py-self’ library has amassed nearly 28 million downloads.

Malicious Activities:

• Token Theft: The ‘pycord-self’ package is designed to steal Discord authentication tokens from developers. These tokens grant unauthorized access to Discord accounts, even bypassing two-factor authentication (2FA) protections.
• Backdoor Installation: Beyond token theft, the package establishes a persistent backdoor by creating a connection to a remote server through port 6969. This backdoor allows attackers to maintain continuous access to the victim’s system, facilitating further exploitation.

Recommendations:

• Verify Package Sources: Always ensure that packages are sourced from official authors and repositories. Be cautious of similarly named packages, as they may be attempts at typosquatting.
• Review Code: If possible, inspect the code of packages before installation to identify any suspicious or obfuscated functions.
• Utilize Security Tools: Employ security tools that can detect and block malicious packages, enhancing your development environment’s security posture.

By adhering to these practices, developers can mitigate the risks associated with malicious packages and protect their systems and data from unauthorized access.

Sources: Bleeping Computer